Skip to main content

Cpython CVE-2026-3479

| EUVDEUVD-2026-12940 LOW
Path Traversal (CWE-22)
2026-03-18 PSF
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 18, 2026 - 18:45 euvd
EUVD-2026-12940
Analysis Generated
Mar 18, 2026 - 18:45 vuln.today
Patch released
Mar 18, 2026 - 18:45 nvd
Patch available
CVE Published
Mar 18, 2026 - 18:13 nvd
LOW 2.1

DescriptionCVE.org

pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

AnalysisAI

The pkgutil.get_data() function in CPython fails to properly validate the resource argument, enabling path traversal attacks that allow unauthorized information disclosure. This vulnerability affects CPython across multiple versions and could permit attackers to read arbitrary files from the system where Python code is executing. A patch is available from the Python Software Foundation, and the vulnerability has been documented with proof-of-concept references in the official CPython repository.

Technical ContextAI

The vulnerability exists in Python's pkgutil module, specifically in the get_data() function which is designed to retrieve package resource data. The function is documented to validate resource paths to prevent directory traversal, but this validation was not properly implemented. The root cause falls under CWE path traversal categories, where insufficient input validation allows attackers to use special characters or sequences (such as ../ or absolute paths) to access files outside the intended resource directory. This affects CPython (cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*), which is the reference implementation of the Python programming language used by millions of developers and deployed in countless applications.

RemediationAI

Apply the patch available from the Python Software Foundation immediately by upgrading to the patched CPython version as specified in the official security advisory (https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/). The patch has been merged into the CPython repository at https://github.com/python/cpython/pull/146122. Until systems can be patched, code review should identify all uses of pkgutil.get_data() and implement additional input validation on the resource argument to ensure only whitelisted, non-traversal paths are accepted. Applications should also apply the principle of least privilege to limit file system access available to Python processes.

CVE-2026-6100 CRITICAL
9.1 Apr 13

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances a

CVE-2026-11972 HIGH
8.2 Jun 23

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted

CVE-2026-9669 HIGH
8.2 Jun 08

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sen

CVE-2026-11940 HIGH
7.8 Jun 23

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter

CVE-2026-4786 HIGH
7.0 Apr 13

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted UR

CVE-2026-4519 HIGH
7.0 Mar 20

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-l

CVE-2026-7774 MEDIUM
6.9 Jun 04

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and

CVE-2026-7210 MEDIUM
6.3 May 11

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flo

CVE-2026-3276 MEDIUM
6.3 Jun 03

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions

CVE-2026-8328 MEDIUM
5.9 May 13

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser

CVE-2026-12003 MEDIUM
5.3 Jun 16

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor

CVE-2026-0864 MEDIUM
4.1 Jun 23

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via con

Share

CVE-2026-3479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy